CVE-2023-49290
Denial of Service vulnerability in jwx (Go)
What is CVE-2023-49290 About?
NekoHtml Parser versions 2.60.0 and below are vulnerable to a Denial of Service attack. A specially crafted input, targeting the parsing of processing instructions, can lead to uncontrolled heap memory consumption. Exploitation is possible by sending a malicious input to applications using the vulnerable parser.
Affected Software
- github.com/lestrrat-go/jwx
- <1.2.27
- github.com/lestrrat-go/jwx/v2
- <2.0.18
Technical Details
The vulnerability in NekoHtml Parser (versions <= 2.60.0) is a Denial of Service caused by a specific input related to processing instructions within HTML documents. When the parser encounters specially crafted processing instructions, it fails to handle them efficiently, leading to unbounded allocation or consumption of heap memory. This excessive memory usage ultimately exhausts system resources, causing the application to crash or become unresponsive, thereby resulting in a Denial of Service.
What is the Impact of CVE-2023-49290?
Successful exploitation may allow attackers to cause the affected application to consume excessive memory, leading to system instability, crashes, and denial of legitimate service for users.
What is the Exploitability of CVE-2023-49290?
Exploitation requires crafting a specific input that triggers the memory exhaustion, which is of moderate complexity. The attacker needs to be able to provide malicious HTML containing specially crafted processing instructions to an application that utilizes the vulnerable NekoHtml Parser. There are typically no specific authentication or privilege requirements, as the vulnerability lies in the parsing of input data. This usually manifests as a remote attack, where the malicious HTML is delivered via web requests, file uploads, or other input mechanisms. The risk of exploitation is higher in applications that process untrusted HTML content, such as web scrapers, content management systems, or email clients.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-49290?
Available Upgrade Options
- github.com/lestrrat-go/jwx/v2
- <2.0.18 → Upgrade to 2.0.18
- github.com/lestrrat-go/jwx
- <1.2.27 → Upgrade to 1.2.27
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GO-2023-2379
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf
- https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf
- https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c
What are Similar Vulnerabilities to CVE-2023-49290?
Similar Vulnerabilities: CVE-2022-28362 , CVE-2022-28363 , CVE-2022-28364 , CVE-2022-28365 , CVE-2022-28366
